Microsoft has failed to remove from the Windows 7 release candidate a long-recognized security risk. The feature can let virus writers trick users into running malicious files, a security company says.